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Abstract 

We present a Prolog program (the SAT solver of Howe and King) as a logic program with 
added control. The control consists of a selection rule (delays of Prolog) and pruning the 
search space. We construct the logic program together with proofs of its correctness and 
completeness, with respect to a formal specification. This is augmented by a proof of ter- 
mination under any selection rule. Correctness and termination are inherited by the Prolog 
program, the change of selection rule preserves completeness. We prove that completeness is 
also preserved by one case of pruning; for the other an informal justification is presented. 

For proving correctness we use a method, which should be well known but is often neglected. 
A contribution of this paper is a method for proving completeness. In particular we introduce 
a notion of semi-completeness, for which a local sufficient condition exists. 

We compare the proof methods with declarative diagnosis (algorithmic debugging). We 
introduce a method of proving that a certain kind of pruning preserves completeness. We 
argue that the proof methods correspond to natural declarative thinking about programs, 
and that they can be used, formally or informally, in every-day programming. 

KEYWORDS: logic programming, program correctness, program completeness, specification, 
declarative programming, declarative diagnosis. 



1 Introduction 

The purpose of this paper is to show to which extent the correctness related issues of 
a Prolog program can, in practice, be dealt with mathematical precision. We present 
a construction of a useful Prolog program. We view it as a logic program with added 
control. We formally prove that the logic program conforms to its specification and 
partly informally justify that adding control preserves this property. We argue that 
the employed methods are not difficult and can be used by actual programmers. 



Howe and King ( 2012 ) presented a SAT solver which is an elegant and concise Prolog 
program of 22 lines. Formally it is not a (pure) logic program, as it includes nonvar/ 1 
and the if-then-else of Prolog; it was constructed as an implementation of an algorithm, 
using logical variables and coroutining. The algorithm is DPLL with watched literals 



and unit propagation (see (Howe and King 20121 for references). Here we look at the 



program from a declarative point of view. We show how it can be obtained by adding 
control to a definite clause logic program. 

We first present a simple logic program of five clauses, and then modify it in order 
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to obtain a logic program on which the intended control can be imposed. The control 
involves fixing the selection rule (by means of the delay mechanisms of Prolog) , and 
pruning some redundant fragments of the search space. In constructing both the in- 
troductory program and the final one, we begin with a specification, describing the 
relations to be defined by the program. We argue about usefulness of approximate 
specifications. For both logic programs we present formal proofs of their correctness 
and completeness. In the second case the proofs are performed together with the con- 
struction of the program. We also prove termination under any selection rule. Adding 
control preserves correctness and termination. Completeness of the final program with 
control is justified partly informally. 

To facilitate the proofs we present the underlying proof methods for correctness and 



completeness. For proving correctness we use the method of (Clark 1979). For proving 
completeness we introduce a simplification of the method of fDrabent and Milkowska 



2005). We also introduce a way of proving that a certain kind of pruning SLD-trees 



preserves completeness. 

Preliminaries. In this paper we consider definite clause programs (i.e. logic programs 



without negation). We use the standard notation and definitions, see e.g. (Apt 1997). 
In our main examples we assume a Herbrand universe like in Prolog, based on an 
alphabet of infinitely many function symbols of each arity > 0. However the theo- 
retical considerations of Sect. |3] are valid for arbitrary nonempty Herbrand universe. 
By ground{P) we mean the set of ground instances of a program P (under a given 
Herbrand universe). 

We use the Prolog notation for lists. Names of variables begin with an upper-case 
letter. By a list we mean a term of the form [ti, . . . , i„] (so terms like [a, a\X], or [a, a\a] 
are not considered lists). As we deal with clauses as data, and clauses of programs, 
the latter will be called rules to avoid confusion. Given a predicate symbol p, by an 
atom for p we mean an atom whose predicate symbol is p, and by a rule for p - a 
rule whose head is an atom for p. By a procedure p we mean all the rules for p in the 
program under consideration. 

Organization of the paper. The next section presents a simple and inefficient SAT 
solver. Section |3] is the theoretical part of this paper. It formalizes the notion of a 
specification, presents the method for proving program correctness, and introduces the 
methods for completeness. As an example, correctness and completeness of the simple 
SAT solver are proved. Then related work is discussed, in particular a comparison 
with declarative diagnosis methods is made. In Section [4] the final logic program is 
constructed in hand with its correctness and completeness proof. Section [5] considers 
adding control to the program. Section [6] contains conclusions. The Appendix presents 
the proofs omitted in Section |3j and a stronger variant of the completeness proving 
method. 

2 Prepositional satisfiability first logic program 

Representation of propositional formulae. We first describe the form of data used by 
the programs discussed in this paper, namely the encoding of propositional formulae 



in CNF as terms proposed by (Howe and King 2012) 



Propositional variables are represented as logical variables; truth values - as con- 
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stants true, false. A literal of a clause is represented as a pair of a truth value and a 
variable; a positive literal, say x, as true-X and a negative one, say -^x, as f alse-X. 
A clause is represented as a list of (representations of) literals, and a conjunction of 
clauses as a list of their representations. For instance a formula (x V V z) A {-^x V v) 
is represented as [ [true-X, false-Y,true-Z] , [f alse-X, true-V] ] . An assignment 
of truth values to variables can be represented as a substitution. Thus a clause (rep- 
resented by) / is true under an assignment (represented by) 9 iff the list fO has an 
element of the form t-t, i.e. false-false or true-true. A formula in CNF is satisfi- 
able iff its representation has an instance whose each element (is a list which) contains 
a t-t. We will often say "formula /" for a formula in CNF represented as a term /, 
similarly for clauses etc. 

The program. Now we construct a simple logic program Pi checking satisfiability of 
CNF formulae represented as above. We begin with describing the relations (unary 
relations, i.e. sets) to be defined by the program. Let 

Li be the set of ground terms of the form [ii, . . . , i„|s] (n > 0), where 

ti = t-t for some i € {1, . . . , n}, and some term t, (1) 
L2 be the set of lists whose all elements are from Li. 

A clause / is true under an assignment 9 iff the list f9 is in Li. A formula in CNF is 
satisfiable iff it has an instance in L2. 

Alternatively, we can use a subset — -^i- 

= I [ti-ui, . . .,tn-Un] 

and the set L2 of lists whose each element is from L^. Moreover, any set L2 such that 
L2 C L2 C L2 will do: A formula in CNF is satisfiable iff it has an instance in L'2 (as 
any its instance from L2 is also in £2 ^ ^2)- 

We chose Li, L2, as the corresponding program is simpler (and also more efficient). 
However L\,L2 will be employed in Sect.[4j Predicate sat_cnf oi the program defines 
L2, it refers to a predicate sat-cl, defining Li. The program is constructed in a rather 



obvious wayj^ 

sat_cnf[[]). (2) 

sat_cnf {[Clause\Clauses\) sat_cl{Clause) , sat _cnf (Clauses). (3) 

sat_cl{[Pol-Var\Pairs]) ^ Pol = Var. (4) 

sat_cl{[H\Pairs]) ^ s at _cl {Pairs). (5) 

HX,X). (6) 



In the next section we prove that the program does define the intended sets. In 
Sect. [4] we transform the program into a more sophisticated logic program, for which 
one can apply the intended control modifications, which result in an efficient Prolog 
program. 

^ It may be additionally required that tu,Uj G {true, false} for j = 1, . . . ,n. We do not impose this 
restriction. 

^ In the rule |4j we followed the style of i jHowe and King 2012[ |, the reader may instead prefer a 
unary rule sat_cl{[Pol-Pol\Pairs]). 



n > 0, ti, . . . , t„, ui, . . . , M„ are ground, 
ti = Ui for some i € {1, ...,«} 
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3 Correctness and completeness 

In this section we show how to prove that a program indeed defines the required 
relations. Basically we follow the approach of (Drabent and Milkowska 2005). We 
present a special case of the correctness criterion used there, and we extend and 
simplify the method of proving completeness. Then we discuss a certain way of pruning 
SLD-trees, and introduce a method of proving that the pruning preserves completeness. 
In this section we allow an arbitrary alphabet of function symbols, requiring only that 
it contains at least one constant (so the Herbrand universe is nonempty). 



Specifications. We provided a specification for the program Pi by giving a set for each 
predicate; the predicate should define this set. In a general case, for an n-argument 
predicate p the specification gives an n-argument relation, to be defined by p. Let us 
call a ground atom p{ti, . . . ,tn) specified if the tuple (ti, . . . is in the relation 
corresponding to p. The set S of specified atoms can be seen as a Herbrand interpre- 
tation; it is a convenient way to represent the specification. From now on we assume 
that a (formal) specification is a Herbrand interpretation; given a specification S, 
each A G is called a specified atom. 

So in our case, the specified atoms are those of the form 

sat_cnf{t), where t L2, 

sat-cl{s), s £ Li, (7) 

a; = x, a: is an arbitrary ground term. 

This set of specified atoms will be denoted Si. 



Correctness and completeness. In imperative programming, correctness usually means 
that the program results are as specified. In logic programming, due to its non- 
deterministic nature, we have actually two issues: correctness (all the results are 
compatible with the specification) and completeness (all the results required by the 
specification are produced). In other words, correctness means that the relation de- 
fined by the program is a subset of the specified one, and completeness means inclusion 
in the opposite direction. In terms of specified atoms and the least Herbrand model 
Mp of a program P we have: P is correct w.r.t. S iff Mp C S"; it is complete w.r.t. S 
iff Mp D S (where S* is a specification represented as a set of ground atoms). 
It is useful to relate correctness and completeness with answers of programsj^ 

Proposition 1 

Let P be a program, Q a query, and S a specification. 

If P is correct w.r.t. S and Q9 is an answer for P then S \= Q9. 

If P is complete w.r.t. S and S \— Qa, for a ground Qcrj^thcn Qa is an answer for 
P, and is an instance of some computed answer for P and Q. 



^ By a computed (respectively correct) answer for a program P and a query Q we mean an instance 
Q9 of Q where S is a computed (correct) answer substitution | |Apt 1997l l for Q and P. We often 
say just "answer", as each computed answer is a correct one, and each correct answer (for Q) is 
a computed answer (for Q or for some its instance Qcr). Thus, by soundness and completeness of 
SLD-resolution, Q9 is an answer for P iff P ^ Q9. 

* Note that for any ground query Qa we have S \= Qa iff all the atoms of Qa arc in S. 
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Proof 

In the first case, we have Mp C S and Mp |= Q6. Hence S |= Q9. In the second 
case, S C Mp and S \= Qa, hence Mp \= Qa and thus P |= Qa, by Th. 4.30 of 
(Apt 1997|)|^By completeness of SLD-resolution, Qa is an instance for some computed 



answer for P and Q. □ 

Approximate specifications. Notice that if a program P is both correct and complete 
w.r.t. S then Mp = S and the specification describes exactly the relations defined by 
P. Often it is difficult (and not necessary) to specify the relations exactly. A standard 



example is the usual definition of append, see (Drabent and Milkowska 2005) for a 
discussion. In such cases a natural solution is to specify Mp approximately, by giving 
separate specifications Scompii Scorr for completeness and correctness, requiring that 
Scompi ^ Mp C Scorr- The Specifications describe, respectively, which atoms have to 
be computed, and which are allowed to be computed. We illustrate this approach in 
Sect.|4j and point out its importance for declarative diagnosis in Sect. |3.4| 



3. 1 Correctness 



To prove correctness we use the following property (Clark 1979); see (Drabent and 



Milkowska 2005 ) for further examples, explanations, references and discussion. 



Theorem 2 {Correctness) 

A sufficient condition for a program P to be correct w.r.t. specification S is 
for each ground instance ^ _Bi , . . . , i?„ of a rule of the program, 
if Bi,...,Bn G S thenH £ S. 

Note that a compact representation of the sufficient condition is S \^ P. 

Proof 

The sufficient condition means that 5 is a Herbrand model of P. Thus Mp C S, as 
Mp is the least model of P. □ 

Applying Th. [2j it is easy to show that Pi is correct w.r.t. Si. For instance consider 
rule ([5]), and its arbitrary ground instance sat_cl{[u\s]) sat_cl{s). If sat_cl{s) e Si 
then s e Li, hence [u\s\ e Li and sat_cl{[u\s\) e Si. We leave the rest of the proof to 
the reader. 



3.2 Completeness 

We begin with introducing a few auxiliary notions. Let us say that a program P is 
complete for an atomic query A if, for any specified ground instance AO of A, AO is 
in Mp. Generally, P is complete for a query Q = Ai, . . . , An w.r.t. a specification 
iS* when S \= QO implies that QO is an answer for P, for any ground instance QO of 



Groundness of Qa is used here, and is necessary for the proposition to hold. As a counterexample, 
consider a finite alphabet of function symbols, say {a, 6}, and take P = S, say {p(a). Then 
query p{X) is true in the interpretation S, but it is not an answer for program P (as it is not a 
logical consequence P; S \= p{X) but P \^ p{X)). However P is complete w.r.t. S. 
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Q (equivalently, AiO, . . . , A^O e S implies AiO^ . . . , A^O £ Mp). Informally, complete 
for Q means that all the answers for Q required by the specification are computed. 

Note that a program is complete w.r.t. S iff it is complete w.r.t. S for any query iff 
it is complete w.r.t. S for any query A £ S. 

We also say that a program P is semi-complete w.r.t. S* if P is complete for any 
query Q for which there exists a finite SLD-tree. Note that the existence of a finite 
SLD-tree means that P with Q terminates under some selection rule. For a semi- 
complete program, if a computation for a query Q terminates then all the required by 
the specification answers for Q have been obtained. Note that a complete program is 
semi-complete. We also have: 

Proposition 3 

Let a program P be semi-complete w.r.t. S. The program is complete w.r.t S if 
1. for each ground atomic query A £ S there exists a finite SLD-tree, or 



2. the program is recurrent or acceptable (Apt 1997, Chapter 6) 



Proof 

For a program P semi-complete w.r.t. S, condition 1 implies that P is complete w.r.t. 
S for each query A £ S\ hence S C Mp. Condition 2 implies condition 1. □ 



A ground atom H is called covered (Shapiro 19831 by a program P w.r.t. a speci 



fication S" if if is the head of a ground instance iJ <— i?i , . . . , i?„ of a rule of the pro- 
gram, such that all the atoms . . . , i3„ are in 5". For instance, given a specification 
S — {p(s*(0)) I i > 0}, atomp(s(0)) is covered both by a program {p{s{X)) p{X).} 
andby 

Now we are ready to present a sufficient condition for completeness. 
Theorem 4 {Completeness) 

Let P be a definite clause program, S a specification, and Q a query. 
If 

all the atoms from S are covered by P, and 
there exists a finite SLD-tree for Q and P 
then P is complete for Q w.r.t. S. 

If all the atoms from S are covered by P then P is semi-complete w.r.t. S. 

The proof and a stronger sufficient condition for completeness are presented in the 
Appendix. 

Let us apply Th.|4]to our program. First let us show that all the atoms from Si are 
covered by Pi (and thus Pi is semi-complete). For instance consider a specified atom 
A — sat_cnf(t). Thus t is a ground list of elements from Li. If t is nonempty then 
t — [s\t'], where s G Li, t' e i2- Thus a ground instance A ^ sat_cl{s), sat-cnf (t') 
of a clause of Pi has all its body atoms specified, so A is covered. If t is empty then 
A is covered as it is the head of the rule sat-cnf{[]). The reasoning for the remaining 
atoms of 5*1 is similar, and left to the reader. 

So the program is semi-complete w.r.t. 5*1, and it remains to show its termination. An 
informal justification is that, for a reasonable initial query (or for an arbitrary ground 
initial query), the predicates are invoked with (closed) lists as arguments, and each 
recursive call employs a shorter list. For a formal proof, we use the standard approach 
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(Bezem 1993 Apt 1997 Chapter 6.2) and show that the program is recurrent. Let us 



define a level mapping 

\[h\t]\ = \h\ + \tl 

1/(^1, . . . ,t„)| = 1 where n > and / is not [ | ], 
I sat_cnf{t)\ = I sat_cl{t)\ = \t\, 
\t = t'\=Q, 

for any ground terms /i, f', ^i, . . . , t„, and any function symbol /. Note that 
. . . ,t„]| = 1 + I]"^]^|ti|, and that \t\ > for any term t. It is easy to show that 
the program Pi is recurrent under the level mapping | |, i.e. for each ground instance 
iJ ^ . . . , _B, . . . of a clause of Pi, we have \H\ > \B\. For example, for a ground in- 
stance sat^cnf{[t\t']) ^ sat_d{t), sat_cnj{t') of ^ we have \sat-cnf {[t\t'])\ = \t\ + \t'l 
which is both greater than sat_cl{t) = \t\, and than sat_cnf(t') = \t'\. (We leave further 
details to the reader.) By Proposition |3j Pi is complete w.r.t. Si. 

In this section we are interested in declarative properties of programs: correctness 
and completeness. To show completeness of Pi we proved that it is recurrent. This 
implies termination for bounded queries, which include ground ones. As a consequence 
we obtain an important operational property of Pi. it terminates for the queries for 
which the program is intended to be used. Consider a query 

Q = sat_cnf{t) (8) 

where 

i is a list of lists of elements of the form s-s' . (9) 

Note that the representations of propositional formulae that we use are of the form 
(|9|, and the intended queries to the program are of the form ([s]). For any ground 
instance Q9 of such query \Q9\ is the same. So Q is bounded. Thus each SLD-tree for 
Pi and Q is finite, in other words Pi terminates for Q under any selection rule. 



3.3 Pruning SLD-trees and completeness 

Pruning some parts of SLD-trees is often used to improve efficiency of programs. Some 
kinds of it can be implemented by employing the cut. In our main example we use the 



if-then-else construct instead, following (Howe and King 2012). Pruning preserves the 



correctness of a logic program, it also preserves termination under a given selection 
rule, but may violate the program's completeness. We show how to formally prove 
that completeness is preserved under a particular kind of pruning. 

By a pruned SLD-tree for a program P and a query Q we mean a tree with the 
root Q which is a connected subgraph of an SLD-tree for P and Q. By an answer 
of a pruned SLD-tree we mean the computed answer of a successful SLD-derivation 
which is a branch of the tree. We will say that a pruned SLD-tree T with root Q is 
complete w.r.t. a specification S if, for any ground QO, S |= Q9 implies that QO is 
an instance of an answer of T. 

Assume a fixed specification. In the next section we deal with a program P contain- 
ing two redundant clauses, of the form H ^ Bi, H ^ B2. Each of them is sufficient; 
formally: both Hi = P\ {H^Bi} and 112 ~ P\ {H<—B2} are complete. For a selected 
atom with the same predicate symbol as H, only one of the rules is to be used. As the 
choice is dynamic, such pruned SLD-tree is neither an SLD-tree for Hi, nor 112. So the 
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pruned tree may be not complete}^ We present a sufficient condition for completeness 
of such pruned trees. 

We will consider SLD-derivations in which not only atoms in the queries, but also 
program rules are chosen by a selection rule. Let us consider logic programs Hi , . . . , n„ 
(n > 1). The intention is that each of them is complete w.r.t. a common specification. 
Typically, most of the rules of the programs are the same, as in the special case outlined 
above. 

A csSLD-tree (cs for clause selection) for a query Q and programs ni,...,n„ 
is constructed as an SLD-tree, but for each node its children are constructed using 
exactly one program 11^. (We skip a formal introduction of a notion of cs-selection rule, 
which selects the program for a node.) Notice that a csSLD-tree for Q and Hi, ... , n„ 
is a pruned SLD-tree for Q and (Jjlli. An answer of a csSLD-tree is defined in the 
obvious way. 

Proposition 5 

Let Hi, ... , n„ be programs, Q a query, and S a specification. 
If 

for each i = 1, . . . , n, all the atoms from S are covered by 11^, and 
a csSLD-tree T for Q is finite 
then T is complete w.r.t. S. 

For a proof see [Appendix A[ It immediately follows: 

Corollary 6 

If each atom from S is covered by each 11^ then whenever P = [J - Hi terminates for Q 
under some selection rule R, then each csSLD-tree for Q under R is finite and complete 
w.r.t. S. 

Informally, such csSLD-tree produces all the answers for Q required by S. 



3.4 Related work 

The correctness proving method of Clark (1979| ) used here should be well-known, 
but is often neglected. For instance, an important monograph (Apt 1997) uses a more 
complicated method, which may be seen as referring to the operational semantics (LD- 
resolution). Actually, the method proves some property of LD-derivations, from which 



the declarative property of program correctness follows. See (Drabent and Milkowska 



2005) for comparison and argumentation that the simpler method is sufficient. 



Proving completeness has been seldom considered. For instance it is not discussed 
in ( Apt 199"7l )p] |Deransart and Maluszyhski (1993 ) present criteria for program com- 
pleteness, in a sophisticated framework of relating logic programming and attribute 



As an example consider a program P: 

q{X)^p{Y,X). p{Y,0). p{a,s{X)) ^ p{a,X). p{b, s{X)) ^ p{b, X). 

where Hi, respectively 112 are obtained from P by removing one of the last two rules. As a specifica- 
tion for completeness consider S = { q(t) \ t = s'(0), « > }. Each program P, IIi, II2 is complete, 
but alternating choice of the last two rules leads to a non complete pruned tree for P. 
Instead obtaining the set of all computed instances of a given query is discussed. This is based 
on computing the least Herbrand model of the considered program P, or of a certain subset of 
ground{P). 
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grammars. Their Th. 6.1 states, roughly speaking, that P is complete w.r.t. S iff there 
exists a weaker specification S' such that each atom from S' is covered by P w.r.t. 
S", and a certain condition holds, which is in a sense similar to P being recurrent 
(but more general) . The method presented here (Th.|4| is a simplification of that from 
( [Drabent and Milkowska 2005 ) (an initial version appeared in (Drabent 1999 )). In that 



work the notion of completeness is slightly different, arbitrary interpretation domains 
are allowed, and a generalization for programs with negation is given. Th.[4] is not a 
corollary of the results of that work. 

Declarative diagnosis. We now discuss the relation between program diagnosis, and 
proving correctness and completeness of programs. Declarative diagnosis methods 
(called sometimes declarative debugging) were introduced by Shapiro (1983[ ) (see also 



( [Drabent et al. 1989 ) and references therein). They locate in a program the reason 



for its incorrectness or incompleteness. A diagnosis algorithm begins with a symptom 
(obtained from testing the program): an answer Q such that S \^ Q, or a. query Q 
for which computation terminates but some answers required by S are not produced. 
(An alternative notion for incompleteness symptom is an atom A £ S for which the 
program finitely fails.) The located error turns out to be the program fragment (a rule 
or a procedure) which violates our sufficient condition for correctness or, respectively, 
semi-completeness. 

More precisely, in declarative diagnosis the reason for incorrectness is an incorrect 
clause instance. An incorrect clause instance is one which violates the sufficient con- 
dition of Th.[2] Obviously, by Th.[2]if the program is incorrect then such clause must 
exist. An attempt of constructing a correctness proof will fail on such clause. For in- 
stance, in this way the author found an error in a former version of Pi (there was 
[Pairs] instead of Pairs) |^ 

Similarly, as the reason for incompleteness a diagnosis method finds a not covered 
specified atom, say p{. . .) e S] in this way procedure p is found to be erroneous. 
The method is applicable to queries with finite SLD-trees. Existence of a not covered 
specified atom violates the sufficient condition for completeness of Th.[4] Conversely, 
if the program is not complete for a query Q with a finite SLD-tree then, by Th.[4] 
there must exist a not covered specified atomj^ 

Another similarity between declarative diagnosis and our proof methods is that 
the actions performed by a diagnosis algorithm boil down to checking the sufficient 
conditions for correctness (respectively semi-completeness), but only for some clause 
instances (some specified atoms) ~ those involved in producing the symptom. 

The approach to specifications we (and the declarative diagnosis approaches) use has 
a limitation. For instance, in specifying a predicate p it cannot be expressed that there 



However a violation of the sufficient condition does not imply that the program is incorrect. For an 
example, add all the atoms of the form sat_cl{t) to the specification Si, obtaining S[. Program Pi 
is still correct w.r.t. S'^, but the sufficient condition of Th.pldoes not hold for rule l|3|. An informal 
explanation is that S'^ specifies predicate sat.cl too generally. 

Notice that in such case the program is, we may say, potentially incorrect. Replacing some rules 
by ones satisfying the sufficient condition for correctness (or adding such rules) may result in an 
incorrect program. For instance, Pi with an added fact sat-cl{[]) is incorrect w.r.t. S[. 
Again, violating the sufficient condition for completeness does not imply that the program is not 
complete. (Informally, in such case the specification is not sufficiently general.) 
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exists a b such that p{a,b). As a specification (for completeness) is an interpretation, 
it has to state some (one or more) particular b for each a. This problem seems not to 
exist when we use a logical theory as a specification. (The specification may include an 



axiom 3b.p{a,b).) This idea is present in (Deransart and Maluszynski 1993 Drabent 



and Milkowska 20051. 



A serious difficulty in using declarative diagnosis methods is that they assume an 
exact specification (a single intended model) of the program. Then answering of some 
diagnoser queries, like "is append{[a],b,[a\b]) correct" may be difficult, as the pro- 
grammer often does not know some details of the intended model, like those related 
to applying append on non lists. The problem can be overcome by employing approx- 
imate specifications (cf. p.js]); using the specification for correctness in incorrectness 
diagnosis, and that for completeness in diagnosing incompleteness P"] 



3.5 Discussion 

Note that the presented criterion for correctness deals with separate program rules, 
the criterion for semi-completeness deals with program procedures (to check that an 
atom p{. ■ ■) is covered one has to consider all the clauses for p), and the criteria for 
completeness involve termination, which may depend on the whole program. 

Correctness and completeness are declarative properties, they are independent from 
the operational semantics. If dealing with them required reasoning in terms of opera- 
tional semantics then logic programming would not deserve to be meant a declarative 
programming paradigm. The sufficient criteria of Th.[2] |4] for correctness and semi- 
completeness are purely declarative, they treat program clauses as logical formulae, 
and abstract from any operational notions. The picture is somehow tainted by the 
step from semi-completeness to completeness. In our approach it involves termination. 



which is clearly an operational property. Deransart and Maluszyiiski (1993 Th. 6.1) 



show how to prove completeness declaratively. Their criterion includes a condition 
similar to those for proving termination, but more complicated. Here we chose the 
simpler solution and refer to program termination, which for practical programs has 
to be established anyway. Note that semi-completeness alone may be a useful property, 
as it guarantees that whenever the computation terminates, all the required answers 
have been computed. 

We want to stress the simplicity and naturalness of the sufficient conditions for 
correctness and semi-completeness (Th.[2]|4]). Informally, the first one says that the 
clauses of a program should produce only correct conclusions, given correct premises. 
The other says that each ground atom that should be produced by P has to be the 
head of a clause instance, whose body atoms should be produced by P too. The author 
believes that this is a way a competent programmer reasons about (the declarative 



The problem has been pointed out in ( [Drabent et al. 1989[ Sect. 26.8) and discussed in jNaish 2000| 
(see also references therein). The solution given in the latter paper is more complicated than what 
we propose here. A specification in (Naish 2000) classifies each ground atom as correct, erroneous or 
inadmissible. For such specifications, three- valued declarative debugging algorithms are presented. 
From our point of view, the set of non-erroneous atoms can be understood as a specification for 
correctness, and the set of correct atoms as a specification for completeness. However introducing 
debugging algorithms based on a three-valued logic seems to be an unnecessary complication. 
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semantics of) a logic program. The next section illustrates practical applicability of 
the sufficient conditions in programming. 

4 Preparing for adding control 

To be able to influence the control of program Pi in the intended way, in this section 
we construct a more sophisticated logic program P3, with a program P2 as an initial 
stage. The construction is guided by a formal specification, and done together with 
a correctness and semi-completeness proof. We only partially discuss the reasons for 
particular design decisions in constructing P3 and in adding control, as the algorithmic 
and efhciency issues are outside of the scope of this work. 

As explained in Sect.[2[ it is sufficient that sat_cnf defines an arbitrary set Lgat^cnf 
such that L2 C Lsat^cnf ^ L2 (similarly for sat-cl, L\ and Li). So now we do not 
specify the set exactly. Instead, in constructing P2 we will use two specifications: for 
completeness and for correctness, based on and Li,L2, respectively. 

The rules for sat^cnf and = from Pi, i.e. ([2| , ([3| , ([6]) , are included in P2. We modify 
the definition of sat-cl, introducing some new predicates. The new predicates and 
sat-cl would define the same set Lsat^ci (or the subset of Lsat^ci of lists longer than 
1). However they would represent elements of Lgat^ci in a different way. 

To simplify the presentation, we provide now the specification for the new predicates. 
Explanations are given later on, while introducing each predicate. In the specification 
for correctness the new specified atoms are 

sat_d3(s, f where [p-v\s\ £ Li, 

sat_cl5{vi,pi,V2,P2,s), , T T (10) 

sat_d5a{vi,pi,V2,P2,s), [Pi-vi,P2-V2\s] G Li. 

So a specification S2 for correctness is obtained by adding these literals to specification 
^1. The set of atoms of specification S2 for completeness is described by ^ and (10) 
with (each occurrence of) Li replaced by L° (i = 1, 2). Note that 6*2 C 6*2. 

In what follows, SCI stands for the sufficient condition from Th.[2]for correctness 
w.r.t. 5*2, and SC2 ~ for the sufficient condition from Th.[4]for semi-completeness w.r.t. 
5*2 (i.e. each atom from 6*2 is covered). While discussing a procedure p, we consider 
SC2 for atoms of the form p{. . .) from Let SC stand for SCI and SC2. 

We leave to the reader a simple check of SC2 for sat-cnf (SCI for sat-cnf and SC 
for = have been already done). 

Program Pi performs inefficient search by means of backtracking. We are going to 
improve it by delaying unification of pairs Pol-Var in sat^cL The idea is to perform 
such unification if Var is the only unbound variable of the clausej^ Otherwise, sat^cl 
is to be delayed until one of the first two variables of the clause becomes bound to 
true or false. 

This idea will be implemented by separating two cases: the clause has one literal, 
or more. For efficiency reasons we want to distinguish these two cases by means of 
indexing the main symbol of the first argument. So the argument should be the tail 
of the list. (The main symbol is [] for a one element list, and [ | ] for longer lists.) We 

The clause which is (represented as) the argument of sat^cl in the rule for sat^cnf. 
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redefine sat_cl, introducing an auxiliary predicate sat_cl3. It defines the same set as 
sat_cl, but a clause [Pol-V ar\Pairs] is represented as three arguments Pairs, Var, Pol 
of sat_cl3. A new procedure for sat_cl is obvious: 

sat_d{[Pol-Var\Pairs]) ^ sat_cl^Pairs, Var, Pol). (11) 

SC are trivially satisfied (we leave the simple details to the reader). 

Procedure sat^clZ has to cover each atom A — sat_cl3{s, v,p) g 5*2, i.e. each A such 
that [p-wls] — [ti-ui, . . . , t„-u„] and ti = ui for some i. Assume first s — []. Then 
p — v; this suggests a rule 

sat_cl3{[], Var, Pol) ^ Var = Pol. (12) 

Its ground instance sat-cl3{[],p,p) -s— p^p covers A w.r.t. S'2. Conversely, each 



instance of (12) with the body atom in S'2 is of this form, its head is in S'2, hence SCI 
holds. 

When the first argument of sat_clS is not [], then we want to delay 
sat -clS{P airs, Var, Pol) until Var or the first variable of Pairs is bound. In order 
to do this in, say, Sicstus, we need to make the two variables to be separate arguments 
of a predicate. So we introduce a five-argument predicate satjzlb, which is going to be 
delayed. It defines the set of the lists from Lsat_ci of length greater than 1; however a 
list [Poll-Var\,Pol2-Var2\ Pairs] is represented as the five arguments Varl,Poll, 
Var2, P0I2, Pairs of sat-clb. The intention is to delay selecting sat_cl5 until its first 
or third argument is bound (is not a variable). So the following rule completes the 
definition of sat_cl3. 

sat_d3{[Pol2-Var2\Pairs],Varl, Poll) ^ 

sat.d5{Varl,Poll,Var2,Pol2, Pairs). ^ ' 

We leave an easy check of SCI to the reader. For SC2 consider an atom A = 
sat_d3{s,v,p) e S§ where s ^ []. Then s = [p'-v'\s'] and [p-v , p' -v' \s'] e L?. Thus 
B = sat_d5{v,p, v' ,p', s') G S2, and and A is covered by the ground instance A ^ B 
of (13|. Hence each atom sat_d3{s,v,p) G 5° is covered by (12) or (13). 



In evaluating sat_d5, we want to treat the bound variable (the first or the third 
argument) in a special way. So we make it the first argument of a new predicate 
sat-dba, with the same declarative semantics as sat_d5. 

sat_d5{Varl, Poll, Var2, Pol2, Pairs) ^ 

sat.d5a{Varl, Poll, Var2, Pol2, Pairs). (14) 

sat.d5{Varl, Poll, Var2, Pol2, Pairs) ^ 

sat_d5a{Var2, Pol2, Varl, Poll, Pairs). (15) 

SC are trivially satisfied. Moreover, SC2 is satisfied by each of the two rules alone. 



So each of them is sufficient to define sat.db. (Formally, the program without (14) or 



without (15) remains semi-complete.) The control will choose the one that results in 



invoking sat.dba with its first argument bound. 



Notice that some atoms of the form sat_cl{s), sat_cl3{s, v, p) from 82X82 are not covered (e.g. when 
s = [a, true-true]); this is the reason why the program is not complete w.r.t. 82 (and sat-cl in P2 
defines a proper subset of Li). 
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To build a procedure sat-clba we have to provide rules which cover each atom 
A = sat_clba{vi,pi,V2,P2, s) € 82- Note that A e 6*2 iff [pi-vi,p2-V2\s\ S L\ iff 
Pi ~ vi or [p2~i^2|s] G L\ iff pi = vi or sat_cl3{s,V2,P2) G •S'^- So two clauses follow 

sat_d5a(Farl, Poll, Var2, Pol2, Pairs) ^ Varl = Poll. (16) 
sat_d5a(Farl, Poll, Var2, Po/2, Pairs) ^ sat.cl3{Pairs, Var2, Pol2). (17) 

The first one covers A when pi = vi, the second when [p2~i'2|s] € -Z^i- Thus SC2 holds 
for each atom sat_cl5a{. . .) G 52 . To check SCI, consider a ground instance of (16 1, 
with the body atom in 82- So it is of the form 

sat_cl5a{p,p, V2,P2, s) ^ p = p. 

As the list [p-p,P2~V2\s] is in Li, the head of the clause is in 82- Take a ground instance 

sat_cl5a{vi,pi,V2,P2, s) ^ sat-cl3{s,V2,P2)- 



of (171, with the body atom in 82- Then [p2~i'2|s] G Li, hence [pi-vi,p2-V2\s] e Li, 
and thus sat-cl5a{vi,pi,V2,P2, s) e 5*2. 

From a declarative point of view, our program is ready. The logic program P2 consists 
of rules ([2]), (|3|, ([6]), and (111 - (17). It is correct w.r.t. 82 and semi-complete w.r.t. 



81 



Avoiding floundering. When selecting sat_cl5 is delayed as described above, program 
P2 may flounder; a nonempty query with no selected atom may appear in a computa- 
tion!^ Floundering is a kind of pruning SLD-trees, and may cause incompleteness. To 
avoid it, we add a top level predicate sat. It defines the relation (a Cartesian product) 
in which the first argument is as defined by sat_cnf , and the second argument is a list 
of truth values (i.e. of true or false). 

sat{C'lauses, Vars) 4— sat-cnf {Clauses), tflist{Vars). (18) 

(Predicate tflist will define the set of truth value lists.) The intended initial queries 
are of the form 

sat{f,l), where / is a (representation of a) propositional formula, (19) 
I is the list of variables in /. 

Such query succeeds iff the formula / is satisfiable. In each non failed derivation, 
tflist /I will eventually bind all the variables of and hence all the variables of /. Thus 
all the delayed atoms will be selected. So for the intended initial queries floundering is 
avoidedp^Moreover, the program has now an additional functionality, as in an answer 
sat{f, 1)9 the list 10 represents a variable assignment satisfying / (i-th element of 19 is 
the value of the i-th variable of I). 

We use auxiliary predicates to define the set of truth values, and of the lists of truth 



For instance, a query sat-cnf {[[true-X,false-Y]\) would lead to a query consisting of a sin- 
gle atom sat_clb{X, true, Y, false, []), which is never selected. On the other hand, a query 
sat_cnf {\\true-X, false-Y\,\Jalse-X\\) would lead to selecting sat_clZ{[\,X, false), binding X to 
false, and then sat-cl5{false , true, Y, false, []) is not delayed. 

Alternati vely, non-floundering of this program can be shown automatically, by means of program 
analysis | |King 2012||Genaim and King 2008l l 
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values. The extended formal specification 6*3 for correctness consists of atoms 



sat{t, u), 
tflist{u), 
tf {true), 
t/(false), 



where t Cz L2, 

M is a list whose elements are 
true or false. 



(20) 



and those of S2 (i.e. the atoms of ([7|), ( 10 )). The extended specification for complete- 



ness consists of 5*2 and of the atoms described by modified ( 20 1 where L2 is replaced 



by 1/2- The three new predicates are defined in a rather obvious way, following (Howe 



and King 2012): 



tfltstii]). 
tflist{[Var\Vars]) 
tf{true). 
tf (false). 



tflist{Vars), tf{Var). 



(21) 
(22) 
(23) 
(24) 



We leave for the reader checking of SC (which is trivial for sat and tf , and rather 
simple for tflist). This completes our construction. The logic program P3 consists of 
rules ([2]), ([|), ([n]) - ([18]), and ([21]) - ([24|. We will also refer to the program 
with one of the clauses for sat_cl5 removed. Let us denote P31 = P3 \ {(14l} and 
P32 — PsX {(|l5l)}. Each of the three programs is correct w.r.t. S3 and complete w.r.t. 

CO 

D3. 

Termination of P3. To establish completeness of P3 we show that it is recurrent. 
Consider a level mapping 

\sat{t, u)\ — max ( 3|i|, listsize{u) ) + 2, 
\sat.cnf{t)\ = 3|i| + 1, 
\sat.cl{t)\ = 3\t\ + 1, 
|sai_d3(i, Ui, 1*2)1 = 3\t\ + 1, 



\sat_cl5{ui, U2, U3, U4, t)\ — 3\t\ + 3, 
\sat_cl5a{ui,U2, U3, M4, t)\ = 'S\t\ + 2, 
\tflist{u) \ — listsize{u), 
\t^u\^ \tf{t)\^0, 



where i, u, ui, U2, U3, W4 are arbitrary ground terms, \t\ is as in Sect. 3.2 and listsize 
is defined by listsize{[h\t]) = listsize{t) + 1 and listsize{f{ti, . . . ,tn)) — for any / 
which is not [ | ] . For example consider (111. For any its ground instance sat^cl ( [p-v | i] ) 
sat-cl3{t, v,p), the level mapping of the head is 3\t\ + 4, while that of the body atom 
is 3\t\ + 1. We leave to the reader further details of the proof that P3 is recurrent. 

The program is semi-complete and recurrent, hence it is complete (w.r.t. S^). 

As an additional corollary we obtain termination of P3 under any selection rule for 
the intended initial queries. Consider a query Q = sat(t, t'), where t is a list of lists of 
elements of the form s-s' , and t' is a list. Each intended query to the program is of 
this form. Q is bounded (for each its ground instance Q6, \Q9\ is the same). As P3 is 
recurrent, each SLD-tree for P3 and Q is finite. 



Completeness and pruning. We intend to prune the SLD-trees by using only one of the 
clauses (14), (15 1 whenever an atom sat_cl5{. . .) is selected. The approach of Sect. 3.3 



makes it possible to show that the resulted pruned SLD-trees remain complete w.r.t. 
5*3. The trees are csSLD-trees for P3i,P32. If the root of such tree is Q, as in the 
previous paragraph, then by Corollary [b] the tree is complete w.r.t. S^. Informally, 
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all the answers for Q required by the specification are produced by the tree; this is 
independent from the selection rule. 



5 The program with control 

In this section we add control to program P3. As the result we obtain the Prolog 
program of Howe and King (2012[ ). (The predicate names differ, those in the original 



program are related to its operational semantics.) The idea is that P3 with this control 
implements the DPLL algorithm with watched literals and unit propagation]^ 

The control added to P3 modifies the default Prolog selection rule (by a block dec- 
laration), and prunes some redundant parts of the search space (by the if-then-else 
construct). So correctness and termination of P3 is preserved (as we proved termina- 
tion for any selection rule). We introduce two cases of pruning, for the first one we 
proved that the completeness is preserved. For the second one we justify completeness 
informally. 

The first control feature to impose is delaying sat_cl5 until its first or third argument 
is not a variable. This can be done by a Sicstus block declaration 

:- block sat_cl5(-, ?, -, ?, ?). (25) 

For the intended initial queries, such delaying does not lead to floundering (as shown 
in the previous section). So the completeness of the logic program is preserved. 



The first case of pruning is using only one of the two rules ( 14 ), ( 15 ) 



sat_cl5{Varl, Poll, Var2, Pol2, Pairs) ^ sat_cl5a(V arl , Poll, Var2, Pol2, Pairs). 
sat.cl5{Varl, Poll, Var2, Pol2, Pairs) <- sat_cl5a{Var2, Pol2, Varl, Poll, Pairs). 

the one which invokes sat_cl5a with the first argument bound. We achieve this by 
employing the nonvar built-in and the if-thcn-else construct of Prolog: 

sat.cl5{Varl, Poll, Var2, Pol2, Pairs) ^ 

nonvar{Varl) — sat_cl5a{Varl, Poll, Var2, Pol2, Pairs); (26) 
sat_cl5a{Var2, Pol2, Varl, Poll, Pairs). 

Alternatively, the cut could be used, which however seems less elegant. A proof was 
given in the previous section that this pruning preserves completeness. 



An efficiency improvement related to rules (16 1, (17) 



sat.cl5a{Varl, Poll, Var2, Pol2, Pairs) <- Varl = Poll. 
sat_cl5a{Varl, Poll, Var2, Pol2, Pairs) +- sat_cl3{Pairs, Var2, Pol2). 

is possible. Procedure sat-cl5a is invoked with the first argument Varl bound. If 
the first argument of the initial query sat{f, I) is a (representation of a) propositional 
formula then sat-cl5a is called with its second argument Po^l being true or false. So 
the unification Varl = Poll in (16| works as a test, and the rule binds no variables 



Thus after a success of rule ([l6) there is no point in invoking (17), as the success of 



(16) produces the most general answer for sat_cl5a{. . .), which subsumes any other 



answer. Hence the search space can be pruned accordingly. We do this by converting 



However, removing a clause when a literal in it becomes true is implemented only when the literal 
is watched in the clause. 

So = may be replaced by the built-in ==, as in (Howe and King 2012 
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the two rules into 



sat-cl5a{Varl, Poll, Var2, Pol2, Pairs) ^ 

Varl = Poll true; sat_d3{Pairs,Var2, Pol2). 



(27) 



This completes our construction{^ The obtained Prolog program consists of declara- 
tion (25), the rules of P3 except for those for sat_cl5 and sat-clba, i.e. ([2]), ([s]), (|6]), 
(ll]) -^13|, ([18|, ^ - (|24|, and Prolog rules ([26]), ([27|. It is correct w.r.t. 5*3, and 
is complete w.r.t. 6*3 for queries of the form (19). 



6 Conclusions 

This paper presents proof methods for proving correctness and completeness of definite 
clause programs, and provides an example of their application: a systematic construc- 



tion of a Prolog program, the SAT solver of (Howe and King 2012). Starting from a 
formal specification, a definite clause program, called P3, is constructed hand in hand 
with a proof of its correctness and completeness (Sect.[4|. The final Prolog program 
is obtained from P3 by adding the control (delays and pruning the SLD-tree, Sect.js]). 
Correctness, completeness and termination of a pure logic program can be dealt with 
formally, and we proved them for P3 . Adding control preserves correctness and termi- 
nation (as termination of P3 is independent from the selection rule). We partly proved, 
and partly justified informally that completeness is preserved too. 

The employed proof methods are of separate interest. The method for correctness 



( Clark 1979 ) is simple, should be well-known, but is often neglected. A contribution of 



this paper is a method for proving completeness (Sect.pO|), a simplification of that of 



(Drabent and Milkowska 2005). It introduces a notion of semi-completeness, for which 
the corresponding sufficient condition deals with program procedures separately, while 
for completeness the whole program has to be taken into account. Also a sufficient 
condition was given that a certain kind of SLD-tree pruning preserves completeness 



(Sect. 3.3). The methods for proving correctness and semi-completeness are purely 
declarative, however proving completeness refers to program termination. The reason 
is that in practice termination has to be concerned anyway, and a pure declarative 
approach to completeness is more complicated (Sect. [3^ . 

We point out usefulness of approximate specifications (p. [5]). They are crucial in 
avoiding unnecessary complications in correctness and completeness proofs. They are 
natural: when starting construction of a program, the relations it should compute are 



often known only approximately. In (Sect. 3.4) we compared the proof methods with 



declarative diagnosis (algorithmic debugging). We showed how approximate specifica- 
tions lead to avoiding a drawback of declarative diagnosis. 

We are interested in declarative programming. Our main example was intended to 



Employing the cut instead if-then-else, we may obtain tlie following rules for sat-cl5, sat-cl5a: 

sat_cl5{Varl, Poll, Var2, Pol2, Pairs) <— nonvariVarl), !, 

sat_cl5a{Varl, Poll, Var2, Pol2, Pairs). 
sat_cl5{Varl, Poll, Var2, Pol2, Pairs) ^ 

sat_d5a{Var2, Pol2, Varl, Poll, Pairs). 

sat_cl5a{Varl, Poll, Var2, Pol2, Pairs) ^ Varl = Poll, !. 
sat.cl5alVarl, Poll, Var2, Pol2, Pairs) +- sat. clZ(P airs, Var2, Pol2). 
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show how much of the programming task can be done without considering the oper- 
ational semantics, how "logic" could be separated from "control." A substantial part 
of work could be done at the stage of a pure logic program, where correctness, com- 
pleteness and termination could be dealt with formally. It is important that all the 
considerations and decisions about the program execution and efficiency (only superfi- 
cially treated here) are independent from those related to the declarative semantics, to 
the correctness of the final program, and - to a substantial extent - its completeness. 

We argue that the employed proof methods are simple, and correspond to a natu- 
ral way of declarative thinking about programs (Sect. |3.5l ). We believe that they can 
be actually used - maybe at an informal level - in practical programming; this is 
supported by our main example. 



Appendix A 

Here we present a proof of Th.[4j a stronger variant (Prop.[8| of this theorem, and a 
proof of Prop.[5j 

Theorem^ {Completeness) 

Let P be a definite clause program, 5" a specification, and Q a query. 
If 

all the atoms from S are covered by P, and 
there exists a finite SLD-tree for Q and P 

then P is complete for Q w.r.t. S. 

If all the atoms from S are covered by P then P is semi-complete w.r.t. S. 
Proof 

Assume that all specified atoms (i.e. the atoms in S) are covered, and that a ground 
query Q9 consists of specified atoms (i.e. S \= Q9). For any selection rule R, there 
exists an SLD-derivation Dji for Q9 and program ground{P), such that (a) all the 
queries of D/j consist of specified atoms, and (b) Dn is successful or infinite. By the 



lifting theorem (Doets 1994 Th. 5.37), it has a lift Z?^, which is an SLD-derivation for 
Q and P. 

So each SLD-tree for Q and P has a branch which is a lift of a derivation of the 
form Dr above. If the tree is finite then the derivation is finite, hence successful, and 
all the atoms of Q9 are in Mground(p) — Mp. 

This proves the first implication of the theorem, the second one follows immediately. 

□ 

We now present an example for which Th.[4]is inapplicable, and introduce a relevant 
criterion for completeness. 

Example 7 

Program P — {p{s{X))-^p{X). p(0). q{X)-^p{Y).} is complete w.r.t. specification 
S — {p(s*(0)) I i > 0} U {g(0)}. It loops for queries p{X) and q{X). Moreover it loops 
for any instance of q{X). However all the derivations for these queries and program 
ground{P) are finite. 
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Proposition 8 (Completeness) 

In Th.|4] condition "there exists a finite SLD-tree for Q and P" can be replaced by 
"for each ground instance Q6 such that S |= Q9 there exists a finite SLD-tree for Q 
and ground{P)." 

Proof 

The finite SLD-tree has a branch, which is a derivation Dfj as in the proof of Th.|4] The 
derivation is finite, hence successful, and all the atoms of Q9 are in Mground{P) = Mp. 
□ 

Proposition [5| 

Let Hi, ... , n„ be programs, Q a query, and S a specification. 
If 

for each i = 1, . . . , n, all the atoms from S are covered by 11^, and 
a csSLD-tree T for Q is finite 

then T is complete w.r.t. S. 
Proof ( outline ) 

A generalization of the proof of Th.|4] Let Q' be a node of T which has a ground 
instance Q'a such that S \— Q'a. Let the fc-th atom A of Q' be selected in Q' . Assume 
that Hi is applied to construct the children of Q'. Atom Aa is covered by 11^, let 
Aa _Bi, . . . , B„i be a ground instance of a rule from 11^, with Bi, . . . , S S. Let 



Q" be Q'a with Aa replaced by . . . , 3^^. Then, by the lifting theorem (Doets 1994 
Th. 5.37), Q" is an instance of a child Q+ of Q' in T. Obviously, S \= Q" . 

Let S 1= Q9 for a ground instance Q9 of Q. By induction, there exists a branch A 
in T such that (1) each its node has a ground instance consisting of atoms from S, 

(2) the sequence of ground instances is a derivation F for Q9 and ground {[J - 11^), and 

(3) A is a lift of F. Each nonempty query of A has a successor. As T is finite, A is a 
successful derivation (for Q and Uilli). By the lifting theorem, Q9 is an instance of 
the answer of A, which is an answer of T. □ 
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